Google announced that, starting in October 2017, all publicly trusted website certificates will have to comply with Chrome’s Certificate Transparency policy to be trusted by its Chrome browser. Mozilla also unveiled its plans to respond to the revelation that WoSign and its StartCom subsidiary compromised many certificates.
Mandatory Certificate Transparency
Certificate Transparency is an open source framework for monitoring and auditing website certificates. It was developed by Google, and then it became an IETF open standard that all browsers can adopt. The idea behind the framework is to see when forged certificates are issued and certificate authorities (CAs) have gone rogue.
Google has punished several certificate authorities for bad behavior over the last few years, including China’s root certificate authority, CNNIC, as well as Symantec. After both CNNIC and Symantec were found to issue certificates to the wrong websites, Google seems to have put Certificate Transparency on a more aggressive adoption path.
Google banned CNNIC from Chrome’s root store and then required CNNIC to adopt the Certificate Transparency monitoring system if it wanted its root certificate to be re-included. Google also required Symantec to undergo a third-party audit after it found that Symantec’s internal audits were poorly done, and to adopt Certificate Transparency for all of its certificates by June 2016.
WoSign/StartCom Go Rogue
More recently, the WoSign certificate authority and its previously undisclosed StartCom subsidiary, also misbehaved. WoSign backdated new SHA-1 certificates to get around the January 1, 2016 deadline for the issuance of SHA-1 certificates.
Google hasn’t taken a specific action against WoSign and StartCom yet, possibly because Mozilla was quick to publish a preview of its own plan to ban new WoSign and StartCom certificates. Google may have thought that banning WoSign itself would be unnecessary at that point, because Mozilla seems to have already gotten WoSign to comply with its requirements.
However, the WoSign incident may have also triggered Google to launch a fixed deadline for requiring full compliance with the Certificate Transparency system from all certificate authorities. The company seems to have already required WoSign and StartCom to adopt Certificate Transparency, and their logs should be recognized in Chrome version 54.
Google realizes that some CAs may have issues with the deadline, which may seem quick to some, so it’s asking certificate authorities and site operators to bring their concerns to IETF’s Public Notary Transparency WG (TRANS) to be discussed before the deadline hits. Google will also work with the CAs in its root store to ensure that they are prepared for the transition.
Mozilla Distrusts WoSign And StartCom Certificates
When WoSign’s misbehavior was discovered, Mozilla was quick to announce a list of actions it was prepared to take against both it and StartCom. Mozilla has now published its full plan, which contains the following actions it’s going to take against WoSign:
1. Mozilla will distrust all new WoSign/StartCom certificates that chain to the affected root certificates after October 21. Existing certificates will preserve their status so as to not disrupt too many websites that rely on them.
If any new certificate backdating is discovered on WoSign certificates, Mozilla will permanently distrust and revoke the affected roots. Cross-certificates will also be controlled in the same way by the company, so WoSign won’t be able to bypass Mozilla’s requirements by simply cross-signing its root certificates with another CA. The list of affected root certificates includes:
- CN=CA 沃通根证书, OU=null, O=WoSign CA Limited, C=CN
- CN=Certification Authority of WoSign, OU=null, O=WoSign CA Limited, C=CN
- CN=Certification Authority of WoSign G2, OU=null, O=WoSign CA Limited, C=CN
- CN=CA WoSign ECC Root, OU=null, O=WoSign CA Limited, C=CN
- CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
- CN=StartCom Certification Authority G2, OU=null, O=StartCom Ltd., C=IL
2. The backdated SHA-1 certificates will be added to Firefox’ OneCRL, a list of revoked certificates that the browser will reject and declare insecure.
3. Mozilla will no longer accept audits by Ernst & Young Hong Kong. The company hasn’t clarified why in its latest post, but it may be because the audit agency gave WoSign a passing grade when it shouldn’t have. This could be a warning sign to other audit agencies, too, which will now have to take their own audits much more seriously.
4. Mozilla will remove the affected root certificates from its store after March 2017. Until then, it’s going to work with WoSign to transition to new, more trusted and Certificate Transparency-backed root certificates. However, it seems Mozilla is still reserving the right not to accept WoSign’s new root certificates if it finds anything suspicious about them.
5. Mozilla will also reserve the right to take further actions against WoSign and StartCom if deemed necessary.
Certificate Transparency For More Trusted CAs
Although only a few certificate authorities have been caught misbehaving so far, chances are that out of the thousands of existing CAs, more are doing the same thing. The certificate authority system is rather weak when it comes to security because you have to trust every single CA to behave. Certificate Transparency aims to fix the biggest problems with certificates by putting all of them under constant and permanent monitoring.
This, coupled with at least moderately aggressive actions like the ones taken by Mozilla and Google against misbehaving or rogue certificate authorities, may lead to a significant improvement in the security of the certificate authority system. However, we’ll know more about how well this works after CAs have had to comply with Certificate Transparency for a year or two.